On 9/11/14 11:08, Anne van Kesteren wrote:
On Thu, Sep 11, 2014 at 5:56 PM, Richard Barnes <rbar...@mozilla.com> wrote:
Most notably, even over non-secure origins, application-layer encryption can
provide resistance to passive adversaries.
See https://twitter.com/sleevi_/status/509723775349182464 for a long
thread on Google's security people not being particularly convinced by
that line of reasoning.
The brief detour into discussing opportunistic encryption in that
rambling thread [1] highlights a place where Ryan differs from the
growing consensus, at least within the IETF, that something is better
than nothing. He is out of step with the recognition that our historic
stance of "perfect or absent" is counterproductive. Theodore actually
puts it pretty succinctly in one of the IETF mailing list messages that
Henri cites: " For too long, I think, we've let the perfect be the enemy
of the good."
When you force people into an "all or nothing" situation regarding
security, "nothing" is the easy choice. If you provide tools for much
easier incremental improvement, people will be far more likely to deploy
something. Absolutism isn't the way to make progress: a transition path
with small, incremental steps that yield small, incremental improvements
at gets you to where you want to be eventually.
By contrast, forcing people to swallow everything all at once only
serves to discourage adoption of any security at all.
____
[1] Which is now my favorite example of Twitter's shortcomings as a
communications medium.
--
Adam Roach
Principal Platform Engineer
a...@mozilla.com
+1 650 903 0800 x863
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform